From this and the bounce that he forwards me (to a different address I give him), I determine that its bouncing because of the file in his signature (image001.gif). However, that does NOT match the "key" in this part of the log:

matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"

Furthermore, the .gif extension is nowhere to be found in the /etc/amavisd.conf file (i.e. I'm not blocking emails because they contain .gif images).

I use Postfix as my MTA; when you say 'ban', are you "guessing" that Postfix isn't configured to ban gif images? To my knowledge, no. I've reviewed /etc/postfix/main.cf as well as master.cf. In terms of spam, assuming the email gets past spamhaus, then spamcop, then barracudacentral, I use ClamAV to scan for viruses and additional spam and such. I don't have spam assassin.
–
David WSep 12 '12 at 23:12

Thanks for the response. I believe you were correct, but I'm going to wait a little while before confirming. The "blocked anywhere" directive included this line: qr'^\.(exe|lha|cab|tnef|dll)$'. I reexamined the logs, bounce messages, and the info I pasted into this question, and saw a consistent theme: they all contained something with a .tnef extension. I researched it, and it turns out its coming from Microsoft Outlook, and was considered a potential security vulnerability. I'm researching now how "unsafe" it would be for me to turn it off, but in the mean time, I have done so. Thanks again.
–
David WSep 15 '12 at 2:02